clock menu more-arrow no yes

Filed under:

A network error routed traffic for the UK's nuclear weapons agency through Russian telecom

New, 28 comments

For the past week, something strange has been going on in the European internet. For five days, web traffic from Texas to certain addresses in the UK has been routed through Ukrainian and Russian telecoms, taking a detour thousands of miles out of the way. Network traffic often takes a circuitous route as a result of network congestion or interconnection difficulties, but neither one would be enough to account for these routes. Instead, this was the result of a bad route announced by Ukraine's Vega telecom, inserting itself in between. "At this point, I have to believe this was an innocent mistake by Vega," said Dyn's Doug Madory, who first discovered the redirection, "but it's concerning nonetheless."

"At this point, I have to believe this was an innocent mistake."

This phenomenon is known as "route hijacking," and it's a common security concern for network engineers and security researchers alike. It's particularly disconcerting because of the sensitive nature of many of the sites involved. Among the dozens of sites involved was the UK's Atomic Weapons Establishment, which is tasked with managing and delivering the UK's nuclear warheads, as well as the UK's official mail service, the Royal Mail. US defense contractor Lockheed Martin was also running a VPN connection that was caught up in the redirection.

VPN traffic would have been encrypted, as well as almost all email traffic, but anyone listening in on email traffic would have been able to read the IP addresses of the parties involved. Even worse, any site serving data over unencrypted HTTP would have been entirely in the clear, and potentially exposed to injection attacks by a malicious third party with access to an intermediate network. (Both AWE and Royal Mail serve their sites over unencrypted HTTP.) Because of the public nature of the routing table, it's easy to see exactly when and how the route hijacking occurred, but why is still a mystery, and we can't say for sure whether any data was altered in transit.

It's still likely that the redirection was simply an innocent error, but it underscores the insecure nature of the global routing system. While much of the web has grown more wary of digital attack, routing is still based on trust, with networks freely announcing routes and friendly telecoms adopting them as a matter of habit. As a result, inefficient and potentially insecure routes like this one can linger for days without being corrected, without the parties involved ever being aware of them.

The full traceroute is below, with the Ukrainian telecom visible at line 11 and Russian interconnection at 12 and 13:

trace from Houston, TX to Atomic Weapons Establishment at 03:22 Mar 12, 2015
1 *
2 173.193.118.140 ae12.dar02.sr02.hou02.networklayer.com 2.948
3 50.97.18.246 ae9.bbr02.sr02.hou02.networklayer.com 0.3
4 173.192.18.220 ae3.bbr02.eq01.dal03.networklayer.com 8.133
5 173.192.18.135 ae1.bbr01.tl01.atl01.networklayer.com 28.524
6 173.192.18.152 ae0.bbr01.eq01.wdc02.networklayer.com 42.033
7 173.192.18.195 ae7.bbr02.eq01.wdc02.networklayer.com 40.167
8 50.97.18.215 ae0.bbr01.eq01.ams02.networklayer.com 118.838
9 50.97.18.217 ae0.bbr02.xn01.fra01.networklayer.com 124.983
10 50.97.18.218 ae7.bbr01.xn01.fra01.networklayer.com 124.133
11 80.81.194.177 edge-3-2-5-231.kiev.ucomline.net 154.988
12 87.245.247.157 ae2-241.RT.NTL.KIV.UA.retn.net 155.174
13 87.245.233.238 ae2-10.RT.TC2.LON.UK.retn.net 158.221
14 195.66.224.10 linx1.ukcore.bt.net 161.442
15 194.72.31.130 (BTnet inter-pop routes, GB) 166.986
16 62.172.103.89 core1-pos1-1.birmingham.ukcore.bt.net 163.205
17 62.6.196.70 vhsaccess1-pos7-0.birmingham.fixed.bt.net 164.139
18 132.153.3.254 (Atomic Weapons Establishment, GB) 177.4